SERTIT-016 CR Certification Report - Common Criteria · 2011. 5. 3. · SERTIT-016 CR Certification Report Issue 1.0 18th April 2011 Thinklogical VX 40 Router KVM Matrix Switch (VXR-000040

SERTIT, P.O. Box 14, N-1306 Bærum postterminal, NORWAY

Phone: +47 67 86 40 00 Fax: +47 67 86 40 09 E-mail: [email protected] Internet: www.sertit.no

Sertifiseringsmyndigheten for IT-sikkerhet Norwegian Certification Authority for IT Security

SERTIT-016 CR Certification Report Issue 1.0 18th Apri l 2011

Thinklogical VX 40 Router KVM Matrix Switch (VXR-000040 Rev B)

CERTIFICATION REPORT - SERTIT STANDARD REPORT TEMPLATE SD 009 VERSION 2.0 13.09.2007

Thinklogical VX 40 Router KVM Matrix Switch (VXR-

000040 Rev B)

EAL 4

Page 2 of 22 SERTIT-016 CR Issue 1.0

18th Apr i l 2011

ARRANGEMENT ON THE RECOGNITION OF COMMON CRITERIA CERTIFICATES IN

THE FIELD OF INFORMATION TECHNOLOGY SECURITY

SERTIT, the Norwegian Cert if ication Author ity for IT Sec ur ity, is a member of the

above Arrangement and as such this conf irms that the Common Criteria cert if icate

has been issued by or under the authority of a Party to this Arrangement and is the

Party’s cla im that the cert if icate has been issued in accordance with the terms of

this Arrangement

The judgements contained in the cert if icate and Cert if ication Report are those of

SERTIT which issued it and the Norwegian evaluation facil ity (EVIT) which carried

out the evaluation. There is no impl ication of acceptance by other Members of the

Agreement Group of l iabil ity in respect of those judgements or for loss sustained as

a result of rel iance placed upon those judgements by a third party. [ *]

[* Mutual Recognit ion under the CC recognit ion arrangement appl ies to EAL 4.]

Thinklogical VX 40 Router KVM Matrix Switch

(VXR-000040 Rev B)

EAL 4

SERTIT-016 CR Issue 1.0

18th Apr i l 2011

Page 3 of 22

Contents

1 Certification Statement 5

2 Abbreviations 6

3 References 7

4 Executive Summary 8

4.1 Introduction 8

4.2 Evaluated Product 8

4.3 TOE scope 8

4.3.1 System Type and Overview 8

4.3.2 TOE Physical Boundar ies 10

4.3.3 TOE Logica l Boundaries 10

4.4 Protection Profile Conformance 10

4.5 Assurance Level 11

4.6 Security Policy 11

4.7 Security Claims 11

4.8 Threats Countered 11

4.9 Threats Countered by the TOE’s environment 11

4.10 Threats and Attacks not Countered 11

4.11 Environmental Assumptions and Dependencies 11

4.12 IT Security Objectives 12

4.13 Non-IT Security Objectives 12

4.14 Functional Security Requirements 12

4.15 Security Function Policy 13

4.16 Evaluation Conduct 13

4.17 General Points 14

5 Evaluation Findings 15

5.1 Introduction 16

5.2 Delivery 17

5.3 Installation and Guidance Documentation 17

5.4 Misuse 17

5.5 Vulnerabil ity Analysis 18

5.6 Developer’s Tests 18

5.7 Evaluators’ Tests 18

6 Evaluation Outcome 18

6.1 Certification Result 18

6.2 Recommendations 18

6.2.1 Restrict ive Switching 19

Annex A: Evaluated Configuration 20

TOE Identification 20

TOE Documentation 21

TOE Configuration 22


000040 Rev B)

EAL 4


18th Apr i l 2011

Thinklogical VX 40 Router(VXR-000040 Rev B)':'..:. :. :. ".:'.'.:.....':.:. .."'. ..'..'.

KVM Matrix Switch EAL 4

1 Certification StatementForsva rets Log isti kkorga n isasjon / I nvesteri n gsavdel i n gen/ N BF Th i n klog ica I VX 40Router KVM Matrix Switch is a fiber optic switch that uses multi-mode or single-mode fiber optics to transmit and receive a digital video pulse stream withoutalteration or interpretation of the original signal.

Thinklogical VX 40 Router KVM Matrix Switch (VXR-000040 Rev B) has beenevaluated under the terms of the Norwegian Certification Scheme for lT Security andhas met the Common Criteria Part 3 conformant requirements of EvaluationAssurance Level EAL 4 for the specified Common Criteria Part 2 conformantfunctionality in the specified environment when running on the platforms specifiedin Annex A.

,Kjartan Jeger Kvassnrt // //icertirie, /(_/!}4a,n^-*

' Author

i

i.**-----^--rOuality

i

Assurance La rs Borgos

Ouality Assurance

q^A\\

w fu*J*Approved Kjell W. BerganHead of SERTIT

: Date approved l Bth Ap ril 2011

SERTIT-01 6 CR

lBth April 2011

lssu e 1 .0 Page 5 of 22


000040 Rev B)

EAL 4


18th Apr i l 2011

2 Abbreviations

CC Common Criteria for Information Technology Secur ity Evaluat ion

CCRA Arrangement on the Recognit ion of Common Criter ia Cert if icates in the

Field of Information Technology Security

CEM Common Methodology for Information Technology Security Evaluation

EAL Evaluation Assurance Level

ETR Evaluation Technica l Report

EVIT Evaluation Faci l ity under the Norwegian Cert i f ication Scheme for IT

Secur ity

SERTIT Norwegian Cert if ication Author ity for IT Security

ST Secur ity Target

TOE Target of Evaluation

TSF TOE Secur ity Functions

TSP TOE Secur ity Pol icy


(VXR-000040 Rev B)

EAL 4


18th Apr i l 2011

Page 7 of 22

3 References

[1] Thinklogical VX 40 Router KVM Matrix Switch Secur ity Target , version 3.6,

January 2011.

[2] Common Criteria Part 1, CCMB-2009-07-001, Version 3.1 R3, July 2009.



[5] The Norwegian Cert if ication Scheme, SD001E, Version 8.0, 20 August 2010 .

[6] Common Methodology for Information Technology Security Evaluation,

Evaluation Methodology, CCMB-2009-07-004, Version 3.1 R3, July 2009.

[7] Evaluation Technica l Report Common Criteria EAL4 Evaluation of

Thinklogical Router KVM Mat rix Switches, v 1 .1, 2011-02-17.

[8] Configuration Management_1_3.doc

[9] VX40_160_320_Manual_Rev_I .pdf

[10] VX40 Assembly Procedure_Rev A.pdf

[11] VX40 Configuration List_1_2.doc

[12] VxRouter-ASCII-API_4_1.pdf

[13] VX Routers Switch Tables

[14] VX40_VEL-4_VEL-24_Quick_Start_Rev_B.pdf .


000040 Rev B)

EAL 4


18th Apr i l 2011

4 Executive Summary

4.1 Introduction

This Cert if ication Report states the outcome of the Common Criter ia security

evaluation of Thinklogical VX 40 Router KVM Matrix Switch (VXR-000040 Rev B) to

the Sponsor , Forsvarets Logist ikkorganisas jon / lnvesteringsavdel ingen/ NBF , and is

intended to ass ist prospective consumers when judging the suitabi l ity of the IT

security of the product for their part icular requirements.

Prospective consumers are advised to read this report in conjunct ion with the

Secur ity Target [1] which specif ies the functional , environmental and assurance

evaluation requirements.

4.2 Evaluated Product

The version of the product evaluated was Thinklogica l VX 40 Router KVM Matrix

Switch (VXR-000040 Rev B) .

This product is a lso described in this report as the Target of Evaluation (TOE) . The

developer was Thinklogical .

Thinklogical VX 40 Router KVM Matrix Switch provides remote connections from a set

of shared computers to a set of shared per ipherals . The switching capabi l ity of the

TOE is used to connect ports on a part icular computer to a part icular peripheral set .

The corresponding electronic signal f rom a computer port is transformed into an

optical s ignal by the Velocity extender, transmitted through an opt ical f iber ,

switched by the KVM Matrix Switch to another optical f iber , and then transformed

back to an e lectronic form by the Velocity extender. The re sult ing s ignal is used by

the shared peripherals .

Details of the evaluated configuration, including the TOE’s supporting guidance

documentation, are given in Annex A.

4.3 TOE scope

4.3.1 System Type and Overview

The TOE is a Bi-directional routing system, which prov ides connect ion of 40 optical

inputs located on the Upstream ports to any or al l of the 40 opt ical outputs located

on the Downstream ports and connection of 40 optical inputs located on the

Downstream ports to any or a l l of the 40 optical outputs located o n the Upstream

ports . The TOE consists of 8 Data Upstream Cards having 5 opt ical input and Output

ports and 8 Data Downstream Cards having 5 optical input and Output ports . The

TOE allows for remote operation of shared computers using sets of shared

peripherals , dynamically connecting (switching) physica l ports on a part icular

computer to a part icular shared peripheral set .

The TOE consists of the fol lowing hardware devices:


(VXR-000040 Rev B)

EAL 4


18th Apr i l 2011

Page 9 of 22

Thinklogical KVM Matrix Switch (VX40 Router)

8 Data Upstream Cards

8 Data Downstream Cards

Velocity Transmitter Extenders are connected to Transmitter Port Groups on the Data

Upstream Cards of the Switch using optical f ibers connections. Transmitter Port

Groups are marked green on the VX40 Switch.

Velocity Receiver Extenders are connected to receiver port groups on the Data

Downstream Cards of the Switch us ing optica l f iber connect ions. Receiver Port

Groups are marked blue on the VX40 Switch.

Each Transmitter and Receiver Port Group is composed of two ports: T port and R

port . Two optical cables are then required to connect a Velocity Transmitter or

Receiver Extender to a Transmitter or Receiver Port Group on the Switch. One cable is

used to transmit data from the Extender to the Switch; the other cable is used to

transmit data from the Switch to the Extender. As a result , a bi -directional

connection is established, where data can flow in both direct ions.

All data types, including video, audio and ser ial data are converted to an opt ical

form and transmitted in a single optica l cable.

The purpose of the Switch is to establ ish logical connections between Transmitter

and Receiver Port Groups, while preserving Data Separation Secur ity Function Pol icy

(SFP) .

Data Separation Secur ity Funct ion Policy states that data shall f low between

Transmitter Port group A and Receiver Port group B if and only if a deliberate logica l

connection has been established to connect A to B. There shall be no data f low

between any pair of Transmitter Port Groups or Receiver Port Groups. There shal l be

no data f low between Transmitter Port Groups or Receiver Port Groups and any other

physical port on the Switch.

The TOE can be administe red over a wired 10/100BASE-TX LAN connection or the

Serial (RS232) connect ion using an external management computer. This computer

was not part of the evaluation, but assumed to be physical ly secure .


000040 Rev B)

EAL 4


18th Apr i l 2011

4.3.2 TOE Physical Boundaries

VX 40 Router KVM Matrix Switch is a hardware device. TOE Physical Boundaries then

correspond to the physical boundaries of the device enclosure.

4.3.3 TOE Logical Boundaries

TOE logical boundar ies include al l software and fi rmware components ins ide the VX40

Router KVM Matrix Switch.

The following Secur ity Functions are provided by the TOE

User Data Protection (enforces Data Separation SFP) ,

This Security Target includes all product security features . There are no security

features outs ide the scope of the evaluation.

4.4 Protection Profile Conformance

The Secur ity Target [1] did not c laim conformance to any protection prof i le .

F igure 1 shows the VX320 Router in an eva lua ted conf igura t ion . An equ iva lent layout is

the eva luated conf igurat ion fo r the VX40 and VX160 Routers .


(VXR-000040 Rev B)

EAL 4


18th Apr i l 2011

Page 11 of 22

4.5 Assurance Level

The Secur ity Target [1] specif ied the assurance requirements for the evaluation.

Predef ined evaluation assurance level EAL 4 was used. Common Cr iteria Part 3 [4]

descr ibes the scale of assurance given by predefined assurance levels EAL1 to EAL7.

An overview of CC is given in CC Part 1 [2] .

4.6 Security Policy

The TOE secur ity pol icies are detailed in the ST[1] .

4.7 Security Claims

The Secur ity Target [1] fully specif ies the TOE’s secur ity objectives, the threats ,

Organisational Secur ity Policies which these objectives meet and security funct ional

requirements and secur ity functions to e laborate the objectives . Al l of the SFR’s are

taken from CC Part 2 [3]; use of this standard facil itates comparison with other

evaluated products.

4.8 Threats Countered

Residual data may be t ransferred between dif ferent port groups in v iolation of

data separation secur ity policy

State information may be transferred to a port group other than the intended

one

4.9 Threats Countered by the TOE’s environment

The TOE may be delivered and installed in a manner which v iolates the secur ity

pol icy .

An attack on the TOE may violate the security policy.

4.10 Threats and Attacks not Countered

No threats or attacks that are not countered are descr ibed.

4.11 Environmental Assumptions and Dependencies

The switch, the transmitters , the receivers , the optical connect ions f rom the

Switch to the transmitters and receivers and the wired network connections

from the Switch to the administrators are physical ly secure.

The TOE meets the appropr iate national requirements ( in the country where

used) for conducted/radiated electromagnetic emiss ions.

The TOE is installed and managed in accordance with the manufacturer ’s

direct ions.

The TOE users and administrators are non-hosti le and fol low a ll usage

guidance.


000040 Rev B)

EAL 4


18th Apr i l 2011

Vulnerabil it ies associated with attached devices are a concern of the

appl ication scenar io and not of the TOE.

4.12 IT Security Objectives

The TOE shall not v iolate the conf ident ial ity of information which it processes.

Information generated within any per ipheral set/computer connection shall

not be access ible by any other peripheral set/computer connect io n.

No information shall be shared between switched computers and periphera l

sets via the TOE in v iolation of Data Separation SFP.

4.13 Non-IT Security Objectives

The TOE shall meet the appropriate national requirements ( in the country

where used) for conducted/radiated electromagnetic emissions.

The TOE shall be installed and managed in accordance with the manufacturer ’s

direct ions.

The authorized user shall be non-hosti le and fol low al l usage guidance.

The Switch, the transmitters , the receivers , the optical connect ions f rom the

Switch to the transmitters and receivers and the wired network connections

from the TOE to the administrators shall be physically secure.

Vulnerabil it ies associated with attached devices or their connect ions to the

TOE, shall be a concern of the application scenario and not of the TOE.

4.14 Functional Security Requirements

Enforce the Data Separation Policy when exporting user data, controlled under

the SFP, from outs ide of the TOE.

Export the user data without the user data's associated security att r ibutes.

Enforce the Data Separation Policy on the set of Transmitter and Receiver Port

Groups, and the bi-directional f low of data and state informa tion between the

shared peripherals and the switched computers.

Enforce the Data Separation Policy based on the fol lowing types of subject

and information security attr ibutes:

- Transmitter and Receiver Port Groups (subjects)

- peripheral data and state information (objects)

- port group IDs

- logical connections of Transmitter and Receiver Groups (attr ibutes)

Permit an information flow between a control led subject and control led

information via a controlled operation if the following rules hold:

- peripheral data and state information can only f low between

Transmitter and Receiver port groups that have been previously

logical ly connected by the administrator usi ng the TOE management

interface

Enforce that Transmitter Port Group may be logically connected to mult iple

Receiver Port Groups, out of which bi -directional information flow wil l be

established only with a single Primary Receiver Port Group se lected by the


(VXR-000040 Rev B)

EAL 4


18th Apr i l 2011

Page 13 of 22

administrator . The remaining Non -Pr imary Receiver port groups wil l only

receive unidirectional mult icast audio and video s ignals . Any Receiver Port

Group may only be logically connected to a single Transmitter Port Group .

Explic it ly deny an information f low based on the fol lowing rules:

- No data or state information f low shall be al lowed between logi ca lly

unconnected port groups.

- No data or state information f low shall be al lowed between any two

Receiver Port Groups.

- No data or state information f low shall be al lowed between any two

Transmitter Port Groups.

- No data or state information f low shall be al lowed between any

Receiver or Transmitter Port Group and any other non -optica l physical

port on the Switch

4.15 Security Function Policy

The TOE logical ly connects Transmitter and Receiver Port Groups according to the

current switching conf iguration. The data f lows between a part icular Transmitter Port

Group and a set of Receiver Port Groups if and only i f there is an active logical

connection connecting these. If there are mult iple Receiver Port Groups connected to

a Transmitter Port Group, bi -directional information f low wil l be then established

between the Pr imary Receiver Port Group and the Transmitter Port Group. The

remaining Non-Primary Receiver Port Groups wil l receive uni -directional mult i -cast

video and audio signals from the Transmitter Port Group .

4.16 Evaluation Conduct

The evaluation was carried out in accordance with the requirements of the

Norwegian Cert if ication Scheme for IT Secur ity as described in SERTIT Document

SD001[5] . The Scheme is managed by the Norwegian Cert if ication Authority for IT

Secur ity (SERTIT) . As stated on page 2 of this Cert if ication Report , SERTIT is a

member of the Arrangement on the Recognit ion of Common Cr iteria Cert if icates in

the Field of Information Technology Security (CCRA), and the evaluation was

conducted in accordance with the terms of this Arrangement.

The purpose of the evaluation was to provide assurance about the effectiveness of

the TOE in meet ing its Secur ity Target [1] , which prospective consumers are advised to

read. To ensure that the Secur ity Target [1] gave an appropr iate baseline for a CC

evaluation, it was f irst itself evaluated. The TOE was then evaluated against this

baseline. Both parts of the evaluation were performed in accordance with CC Part

3[4] and the Common Evaluation Methodology (CEM) [6] .

SERTIT monitored the evaluation which was carried out by the Norconsult EVIT

Commercial Evaluation Facil ity (CLEF/EVIT) . The evaluation was completed when the

EVIT submitted the f inal Evaluation Technical Report (ETR) [7] to SERTIT in

17.02.2011 . SERTIT then produced this Cert if ication Report .


000040 Rev B)

EAL 4


18th Apr i l 2011

4.17 General Points

The evaluation addressed the security funct ionality c laimed in the Security Target [1]

with reference to the assumed operating environment specif ied by the Secur ity

Target[1] . The evaluated configuration was that specif ied in Annex A. Prospect ive

consumers are advised to check that this matches their identif ied requirements and

give due consideration to the recommendations and caveats of this report .

Cert if ication does not guarantee that t he IT product is f ree from security

vulnerabil it ies . This Cert if ication Report and the belonging Cert if icate only reflect

the view of SERTIT at the t ime of cert if ication. It is furthermore the responsibi l ity of

users (both exist ing and prospective) to chec k whether any secur ity vulnerabil it ies

have been discovered s ince the date shown in this report . This Cert if ication Report is

not an endorsement of the IT product by SERTIT or any other organization that

recognizes or gives effect to this Cert if ication Rep ort , and no warranty of the IT

product by SERTIT or any other organizat ion that recognizes or gives effect to this

Cert if ication Report is either expressed or implied.


(VXR-000040 Rev B)

EAL 4


18th Apr i l 2011

Page 15 of 22

5 Evaluation Findings

The evaluators examined the following assurance classes and compo nents taken from

CC Part 3 [4] . These classes comprise the EAL 4 assurance package.

Assurance class Assurance components

Development ADV_ARC.1 Secur ity architecture description

ADV_FSP.4 Complete functional specif ication

ADV_IMP.1 Implementation representation of the

TSF

ADV_TDS.3 Basic modular design

Guidance documents AGD_OPE.1 Operational user guidance

AGD_PRE.1 Preparative procedures

Life-cycle support ALC_CMC.4 Production support , acceptance

procedures and automation

ALC_CMS.4 Problem tracking CM coverage

ALC_DEL.1 Delivery procedures

ALC_DVS.1 Identif ication of secur ity measures

ALC_LCD.1 Developer defined l ife -cycle model

ALC_TAT.1 Well-defined development tools

Secur ity Target

evaluation

ASE_CCL.1 Conformance cla ims

ASE_ECD.1 Extended components defin it ion

ASE_INT.1 ST introduct ion

ASE_OBJ.2 Secur ity objectives

ASE_REQ.2 Derived security requirements

ASE_SPD.1 Secur ity problem defin it ion

ASE_TSS.1 TOE summary specif ication

Tests ATE_COV.2 Analys is of coverage

ATE_DPT.1 Test ing: bas ic design

ATE_FUN.1 Functional test ing

ATE_IND.2 Independent test ing – sample

Vulnerabil ity assessment AVA_VAN.3 Focused vulnerabi l ity analysis

All assurance classes were found to be satisfactory and were awarded an overall

“pass” verdict .


000040 Rev B)

EAL 4


18th Apr i l 2011

5.1 Introduction

The evaluation addressed the requirements specif ied in the Security Target [1] . The

results of this work were reported in the ETR [7] under the CC Part 3 [4] headings. The

fol lowing sections note considerations that are of part icular re levance to either

consumers or those involved with subsequent assurance maintenance and re -

evaluation of the TOE.

The EAL 4 evaluation of the Thinklogica l VX 40 Router KVM Matrix Switch has shown

that the TOE is methodically designed, tested and reviewed. The evaluation has

further shown that the TOE is developed in a secure environment, uses well -defined

development tools , has a properly def ined l ife -cycle model and has procedures for

standard commercia l deli very services. The TOE is under proper configuration

management, and fol lows str ict procedures on how for instance changes to the TOE

are reviewed and accepted. The guidance documentation helps instal l , administer and

use the TOE in a secure manner. The TO E has been tested and reviewed for exploitable

vulnerabil it ies using an Enhanced -Basic attack potential , by both the developer and

evaluators.

I f the TOE is not physically protected and managed as required for the highest level

of security classif ied data handled or transferred by the TOE, the KVM switch can be

tampered with leading to the compromise of sensit ive data or a denial of service

caused by the disruption of the systems the KVM switch is connected. In an evaluated

conf iguration, the KVM switch is physical ly protected in accordance with the

requirements of the highest c lassi f ication connected to the KVM switch.

Without a backup of the KVM switch's configuration, a denial of serv ice may occur i f

the conf iguration cannot be restored quickly in the adv ent that it is lost or a faulty

switch needs to be replaced. Tests performed by the evaluator verify that

conf igurations are not lost in case of fai l -over between primary and secondary

controller card, upstream/downstream cards or SFP+ modules.

I f a network attached KVM switch is attached to a dedicated network there is less

opportunity for a mal ic ious user to compromise the interface and create a denial of

service by issuing disruptive commands to a server . The guidance documentation

states that the Network Hub is a dedicated network that is only used to connect the

VX Router to the computer server . This dedicated network does not connect to any

other components and does not extend beyond the physically secure environment. The

dedicated network connection could be replaced by a direct ser ial connection (RS -

232) between the VX Router and the computer server . It also states that the VX

Router and the computer server used to manage the Router must be protected

according to the highest secur ity c lass if ication of any component in the entire

network appl ication.

Without a written description of the KVM switch, the management devices (CSCS)

attached to the KVM switch, and the classif ication level of each information system

attached to the KVM switch, tampering with the KVM switch by adding or moving


(VXR-000040 Rev B)

EAL 4


18th Apr i l 2011

Page 17 of 22

connections cannot be verif ied and the physical conf iguration cannot be reproduced

if needed. This can lead to a denial of service if a connection is removed or moved or

a compromise of sensit ive data if a connection is a dded or moved. When the TOE is

implemented in its operational environment, a written description of the KVM switch,

the information systems attached to the KVM switch, and the c lassi f ication level of

each information system attached to the KVM switch should be created.

As the guidance documentation descr ibes, it i s recommended that the messages f i le

are reviewed and any errors in the Restr ict ive Switching Table be corrected before

implementing mult iple levels of secur ity c lass if icat ion domains on the same VX

Router. It is also recommended that Restr ict ive Switching be fully tested before

implementing mult iple levels of secur ity c lass if icat ion domains on the same VX

Router.

5.2 Delivery

On receipt of the TOE, the consumer is recommended to check that the evaluat ed

version has been supplied, and to check that the secur ity of the TOE has not been

compromised in del ivery.

The Thinklogical Conf iguration Management process [8] assures that al l products

shipped from the warehouse are fully documented and that they fol low the CM

procedures. Products are shipped via Federal Express, UPS or DHL to the consumer. A

signature is required at the receiv ing end for al l shipments.

Dimensions and weight are noted for each shipment. The CM process assures that al l

tracking information and shipment information within Intuit ive software are logged

as well as hard copies in the Sales Order folder .

In the product manual [9] , Part 1, Instal lat ion, there are provided acceptance

procedures describing what the consumers should check for in t he delivered product .

These procedures should ensure that the consumers inspects the delivered product

and finds it in good condit ion so that the installat ion process can begin.

5.3 Installation and Guidance Documentation

In the product manual [9] “Part 1: Hardware” there is included a text descr ibing that

user has to check that al l parts of the TOE as indicated in the ST have been delivered

in the correct vers ion. If you have ordered an EAL4 cert if ied unit , p lease verify that

you have received the proper materia ls . The label described is in accordance with the

ST [1] .

5.4 Misuse

There is always a r isk of intentional and unintentional misconfigurations that could

poss ibly compromise confidential information. Administrators should follow the

guidance [9] for the TOE in order to ensure that the TOE operates in a secure manner.

The guidance documents adequately the mode of operation of the TOE, al l

assumptions about the intended environment an d all requirements for external


000040 Rev B)

EAL 4


18th Apr i l 2011

security. Sufficient guidance is provided for the consumer to effect ively administer

and use the TOE’s security functions.

5.5 Vulnerability Analysis

The evaluators’ assessment of potentia l exploitable vulnerabi l it ies in the TOE has

been addressed and shows that the vulnerabil ity analysis is complete, and that the

TOE in its intended environment is resistant to attackers with an Enhanced -Basic

attack potential .

5.6 Developer’s Tests

The evaluators’ assessments of the developers’ tests shows that the developer test ing

requirements is extensive and that the TSF sat isf ies the TOE security functional

requirements. The test ing performed on the TOE by both the developer and evaluator

showed that the EAL 4 assurance components requirements a re fulf i l led.

5.7 Evaluators’ Tests

The evaluator have independent ly tested the TSFs and verif ied that the TOE behaves

as specif ied in the design documentation and conf idence in the developer's test

results is ga ined by performing a sample of the developer's t ests .

6 Evaluation Outcome

6.1 Certification Result

After due consideration of the ETR [7] , produced by the Evaluators, and the conduct

of the evaluation, as witnessed by the Cert if ier , SERTIT has determined that

Thinklogical VX 40 Router KVM Matrix Switch (VXR-000040 Rev B) meet the Common

Criter ia Part 3 conformant requirements of Evaluation Assurance Level EAL 4 for the

specif ied Common Criteria Part 2 conformant functional ity in the specif ied

environment.

6.2 Recommendations

Prospective consumers of Thinklogical VX 40 Router KVM Matr ix Switch (VXR-000040

Rev B) should understand the specif ic scope of the cert if ication by reading this

report in conjunction with the Security Target [1] . The TOE should be used in

accordance with a number of environmental considerations as specif ied in the

Secur ity Target .

Only the evaluated TOE conf igurat ion should be instal led. This is specif ied in Annex A

with further relevant information given above under Section 4.3 “TOE Scope” and

Section 5 “Evaluation F indings”.

The TOE should be used in accordance with the supporting guidance documentation

included in the evaluated configuration.


(VXR-000040 Rev B)

EAL 4


18th Apr i l 2011

Page 19 of 22

6.2.1 Restrictive Switching

Restrict ive Switching is used to provide for mult iple levels of secur ity classif ication

domains on the same VX Router. Each destination needs to ensure that no

unauthorized content is displayed or accessed. Therefore, each input and output

needs to be pr iorit ized. Priorit ies can range from 1 to the total number of ports that

can be connected in a switch matrix . An output can connect to an input with a

priority greater than or equal to its priority.

The Restricted Switching function is performed according to a table defin ing the

Input and Output port number and its prior ity value. The restr icted output is

determined before enabling the output.

VX40_160_320_320V_Manual_Rev_H.pdf, Appendix D: Secure Applications shows an

explanation of how to provide a table def in ing pr ior it ies for each input and output of

the switch matrix . This document descr ibes how to create a csv f i le that wil l enable

restrict ive switching.

One very important point from this document is the exact descr iption of the

characters that must be used in the table, these are quoted below. Fail ing to use the

characters exact ly as described this wil l cause the Restr ict ive Switching to fai l .

Using advanced text editors (e .g. MS Word) to bui ld the table can cause problems as

many advanced text editors use auto-correct functions that wi l l replace some ASCII

characters with others .

Double quotes (or speech marks) , character code = 34 (")

Lower case i character code = 105 ( i)

Lower case o character code = 111 (o)

Comma character code = 44 ( , )

Carriage Return character code = 13 (CR)

Line Feed character code = 10 (LF)

The VX Router wil l interpret the Restrict ive Switching Table (csv f i le ) during the

boot-up. Any errors that occur dur ing the Restrict ive Switching Table interpretation

process wil l be logged in the messages f i le at the fol lowing location:

var/log/messages

It is recommended that the messages f i le be reviewed and any errors in the

Restrict ive Switching Table be corrected before implementing mult iple levels of

security c lassi f ication domains on the same VX Router. It is also recommended that

Restrict ive Switching be fully tested before implementing mult iple levels of security

class if ication domains on the same VX Router.


000040 Rev B)

EAL 4


18th Apr i l 2011

NOTE: All modules may be replaced without interruption to other module functions.

Load-sharing Redundant Power Supplies

Enunciator Ports (for alarms) Fan Tray Module

Primary Controller Card

(Back-Up Controller Card is optional)

Output (Downstream) Cards

Ports 1-40

Input (Upstream) Cards

Ports 1-40

10

0-2

40

v –

50/6

0 H

z 1

2A

10

0-2

40

v –

50/6

0 H

z 1

2AALARM

UPSTREAM DOWNSTREAM CONTROLLER

1-5 6-10 26-3011-15 16-20 21-25 31-35 36-40 1-5 6-10 26-3011-15 16-20 21-25 31-35 36-40

T

R

5

4

3

2

1

T

R

CONSOLE

ACTIVE

RESET

FAULT

LAN

CONSOLE

ACTIVE

RESET

FAULT

LANT

R

5

4

3

2

1

T

R

T

R

5

4

3

2

1

T

R

T

R

5

4

3

2

1

T

R

T

R

5

4

3

2

1

T

R

T

R

5

4

3

2

1

T

R

T

R

5

4

3

2

1

T

R

T

R

5

4

3

2

1

T

R

T

R

5

4

3

2

1

T

R

T

R

5

4

3

2

1

T

R

T

R

5

4

3

2

1

T

R

T

R

5

4

3

2

1

T

R

T

R

5

4

3

2

1

T

R

T

R

5

4

3

2

1

T

R

T

R

5

4

3

2

1

T

R

T

R

5

4

3

2

1

T

R

CONTROLLER CONTROLLER

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

T

R

POWER POWER POWER POWER POWER POWER POWER POWER POWER POWER POWER POWER POWER POWER POWER POWER

Annex A: Evaluated Configuration

TOE Identification

Thinklogical VX 40 Router KVM Matrix Switch is a f iber optic switch using mult i-

mode or s ingle-mode fiber optics to transmit and receive a digital video pulse stream

without alterat ion or interpretation of the or iginal signal . The TOE provides remote

connections from a set of shared computers to a set of shared peripherals . The

switching capabil ity of the TOE is used to connect ports on a part icular computer to

a part icular per iphera l set . The TOE provides a capabi l ity to dynamically change the

switching configuration.


(VXR-000040 Rev B)

EAL 4


18th Apr i l 2011

Page 21 of 22

The TOE enforces secure separation of information flows corresponding to different

switched connect ions. The corresponding Data Separation Security Pol icy is the main

security feature of the TOE.

TOE Documentation

The supporting guidance documents evaluated were:

[a] ThinklogicalSecur ityTarget_3_6_VX40.doc

[b] Configuration Management_1_3.doc

[c] Quality Manual Appendix_Rev_A.pdf

[d] Quality Manual Issue_Rev_New.pdf

[e] VX40_160_320_Manual_Rev_I .pdf

[f] VX40 Assembly Procedure_Rev A.pdf

[g] ALC.TAT.1_Intuit ive_1_0.pdf

[h] ECR FORM_1_0.doc

[i] VX40 Configuration List_1_2.doc

[j] ALC.DEL_1_0.doc

[k] ALC_1_1.doc

[l] FlowChart_1_1.pdf

[m] Software ALC_TAT_1_1.pdf

[n] AutoCAD TAT_1.0.pdf

[o] ALC.TAT.1_Intuit ive_1_0.pdf

[p] PADS POWERPCB.pdf

[q] Guide for PADS Projects Rev2.pdf

[r] ECRs_1_0.pdf

[s] ADV_ARC_1_1.pdf

[t] VX40_Funct ionalSpec_1_1.pdf

[u] VX40_DesignSpec_1_2.pdf

[v] VxRouter-ASCII-API_4_1.pdf

[w] VX Routers Switch Tables

[x] MatrixSwitchContFlow_1_1.pdf

[y] VX40_VEL-4_VEL-24_Quick_Start_Rev_B.pdf

[z] VX40_VEL-3AV+_VEL-24_Quick_Start_Rev_B.pdf


000040 Rev B)

EAL 4


18th Apr i l 2011

[aa] VX Common Criter ia Test-VX40_1_3.pdf

[bb] VX Common Criter ia Test-VX40_1_3_with_test_results .pdf

[cc] ATE_COV_VX_1_3.doc

[dd] ATE_DPT_VX_1_2.pdf

[ee] VX40 Checkl ist_1_0.xls

[ff] VX40_test_1_0.doc

[gg] ALC_DVS_1_0.doc

[hh] Employee Manual_Rev A.pdf

[ i i ] Organization Chart_1_0.docx

[j j ] Part Codes_1_0.xls

[kk] ADV_IMP_VX40_1_0.pdf

[ l l ] Using-the-ASCII-Interface_4_0.pdf

TOE Configuration

The following conf iguration was used for test ing:

Velocity Matrix Router 40 (VXR-000040 Rev B)

Velocity Matrix Router 40 Data Upstream Card, 5 Ports , SFP+, Mult i -Mode (VXM-

DI0005 Rev A)

Velocity Matrix Router 40 Data Downstream Card, 5 Ports , SFP+, Mult i -Mode (VXM-

DO0005 Rev A)

Item Identifier Version

Hardware Velocity Matrix Router 40 VXR-000040 Rev B

Hardware Velocity Matrix Router 40 Data

Upstream Card, 5 Ports , SFP+, Mult i -

Mode

VXM-DI0005 Rev A

Hardware Velocity Matrix Router 40 Data

Downstream Card, 5 Ports , SFP+,

Mult i-Mode

VXM-DO0005 Rev A

Manuals VX40_160_320_Manual Rev_I

SERTIT-016 CR Certification Report - Common Criteria · 2011. 5. 3. · SERTIT-016 CR Certification Report Issue 1.0 18th April 2011 Thinklogical VX 40 Router KVM Matrix Switch (VXR-000040

Documents